Learn more about these different git repos.
Other Git URLs
When krb5.conf is configured to authenticate through an HTTPS proxy while no internet connection is available, sssd promptly fails even though cache_credentials is enabled:
cache_credentials
Aug 11 23:04:43 [redacted] [sssd[krb5_child[1669]]][1669]: Cannot contact any KDC for requested realm Aug 11 23:04:43 [redacted] [sssd[krb5_child[1668]]][1668]: Unknown code UUz 11
When switching back to a non-proxy setup, authentication will properly fall back to cached credentials. The setup otherwise works, i.e. while an internet connection is available during authentication. However if no known WiFi is nearby, the situation becomes a catch-22.
sssd version: sssd-1.15.3-1.fc26.x86_64 KDC proxy: ocserv-0.11.8-1.el7.x86_64
Client krb5.conf:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = [redacted] dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] [redacted] = { default_domain = [redacted] kdc = https://[redacted]/KdcProxy http_anchors = FILE:/etc/ipa/ca.crt auto_to_local = DEFAULT admin_server = ipa.[redacted]:749 } [domain_realm] .[redacted] = [redacted] [redacted] = [redacted] [redacted] = [redacted]
Client sssd.conf:
[domain/[redacted]] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = [redacted] id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = [redacted] chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa.[redacted] dyndns_iface = br0 ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 2 [sssd] services = nss, sudo, pam, ssh domains = [redacted] debug_level = 2 [nss] debug_level = 2 homedir_substring = /home [pam] debug_level = 2 [sudo] debug_level = 2 [autofs] debug_level = 2 [ssh] debug_level = 2 [pac] debug_level = 2 [ifp] debug_level = 2 [secrets] debug_level = 2
Thanks for filing the bug. I think this is a duplicate of https://pagure.io/SSSD/sssd/issue/3420 which already received some attention (and there is a test repo for rhel-7.3, although it wouldn't be too hard to rebuild the WIP patch for Fedora as well if you want to test it..). So if you agree, I would prefer to close this bug as a duplicate of #3420.
Hi @jhrozek, sorry for creating a duplicate - I was searching for "fallback" which didn't turn up that ticket. Hope the information in here is still of use for resolving the underlying issue. Thanks for your work on sssd!
No problem, please consider adding yourself to issue #3420 so you can watch the resolution progress.
Closing as a duplicate in the meantime.
Metadata Update from @jhrozek: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4500
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.